What is GDPR? How to follow it easily?

What is GDPR in simple terms?

According to the basic definition, The General Data Protection Regulation, GDPR is the document with the help of which European Parlament, Council of the European Union regulate and unify data protection and privacy for all individuals within the European Union.

Simply put, GDPR is the set of rules managing the procedure of collecting, processing, storing and distributing personal data. The main objective is to protect personal data according to human rights.

First, let’s define which data protected by GDPR is personal. Quick identification of the human face is considered personal information.For example, a corporate email including the name and surname will refer to personal data, with any other content, i.e., info@company, - not. Name and mobile phone number apply to personal data as well. However, the address/tel bu itself is general information. If you can find out any fact about the person using data (working place, contacts, etc.), it becomes personal.

MANDATORY REQUIREMENTS OF GDPR:

collect personal data by the consent agreement;

use and process the received data only by the objectives;

destroy data after achieving the goal;

withdraw and erase data at the request of their owner;

ensure data storage security;

spread the data ultimately with the owner agreement.

SET OF RULES FOR THE COMPANIES TO COMPLY WITH GDPR:

1. Request the consent to process the personal data

The company is allowed to process data only after obtaining the consent. Data processing includes сollection, storage, modification, use, distribution, depersonalization, and destruction. The GDPR confirms the consent using an indicator that gives the full information to the subject “to which he/she agrees.” To cut the story short, “term of use” is enough to get the simple consent for the personal data processing. At the same time, permission must be given by specific affirmative action, meaning freely provided, specific, informed and unambiguous agreement of the subject of personal data to their processing.

If you choose such consent form, be ready to fulfill the following requirements:

detailed description of what a person agrees to and the future utilization of gathered data should be provided to a person;

form and text have to be clear, seen and readable ;

form is mandatory to complete, without an agreement a person wouldn’t be allowed to proceed;

each consent form should be kept in the database;

person should be informed about the way he/she can withdraw the consent in the future.

Following the rules means not only getting the concent but also keeping the terms of the agreement. Once the person wants to withdraw the concent, the company immediately should delete personal data.

2. Anonymize data to protect it from spreading

According to GDPR, there are no precise requirements on how to leverage, grade and protect personal data. So the procedure of receiving data can be chosen by the company. The most popular method is to anonymize the information by data encryption and pseudonymization. However, web developers can choose the way of personal data protection. However, the proposed level of protection must meet the standard of technical capabilities of the companies (state-of-the-art).

Pseudonymization is one of the technical and organizational tools to ensure a level of security that is appropriate for risk. It involves changing the information in the way personal data cannot be assigned to a specific subject.

In practice, it is enough to pass the personal database through simple encryption, and keep the keys to decryption separately. Then, in case of leakage, the data can’t be identified without the key. Furthermore, the key can be changed as well. One more way to protect the data is to divide the database and store it separately — one parameter for one database with the assigned personal number. Thus, each database will not contain personal data. Only for specific actions, the system will connect these data. Separating the name from the rest of the data and replacing it with another identifier represent the pseudonymization process.

3. Documentation and registering all action concerning GDPR

Each company can document the list of all measures for the personal data protection in the form of a description, checklist, log-book, etc. This is the best way to ensure the company and its clients in case of information leakage. How to prove the performance of the regulation? Just document all taken measures and actions. Then, if the information leaks, the company may be exempt from administrative fines for violation of the Regulations, as it took all required steps.

4. Assign the data protection officer

This is not the rule, but a piece of advice, which is not mandatory to implement. State and some types of private organizations may assign data protection officers (DPO, or just a data protection officer) to protect personal data. The officer should monitor security measures compliance, act as a data impact assessment consultant - Data Protection Impact Assessments (DPIA), and be the contact person for people who provide personal data and the supervisory body. Position requirements: the existing employee can be appointed as an officer or hire the new one. The main thing is that this candidate has to be an independent expert in the field of personal data protection.

If you want to secure and protect personal data using one more organizational tool, the appointment of the data protection officer is appreciated.

THE LIST OF ACTIONS IN CASE OF PERSONAL DATA VIOLATION

Under GDPR, in personal data protection sphere, there is a subject (a person who provides the information), controller, operator. Moreover, in the case of personal data violation, all actions will differ according to the position obligations.

The Subject is an individual who provides the data for further procession.The Controller is the owner of the database, who identifies objectives and ways of gathering personal information. The Operator is the specialist who works directly with the database.

In the case of information leakage, it is necessary to take the following measures:

operator is obliged to notify the controller of the violation without delay;

controller is obliged to inform the supervisory body about the breach without delay, within 72 hours, if possible;

controller is obliged to notify the Subjects about the personal data violation if it may pose a significant risk to their rights and legitimate interests (except in cases where the controller has taken security measures making the data incomprehensible to the person who received them - changed the encryption key, etc.).

OUTCOMES FOR THE COMPANIES DEALING WITH GDPR:

To collect personal data with the consent of the subject following clear objectives with the full description of future data application;

To provide the subject with the choice to withdraw the agreement of the personal data processing, protect from unauthorized distribution, and delete data after achieving the goal;

To protect the data using the anonymization tool and document all necessary actions for the GDPR fulfilment with the aim of defending the company itself from the future judicial proceedings;

To take adequate measures in the case of personal data violation to prevent data leakage;

To notify the controller/supervising body/ subject about the occurred issue, if it’s possible.

As it turned out, the much-talked-of Regulation doesn’t seem anything super-complex. Follow GDPR is not so complicated as it appears at first sight. Huge fines do not threaten those who will faithfully follow the Rules and have this documentary evidence.

We at Evergreen stick to the level of security regulated by the GDPR and know what actions we have to proceed with to provide our customers with the safety of their data.